International team takes down virus-spewing Andromeda botnet

Infections spread across over 200 regions

Police and private companies have taken down a massive botnet used to move malware onto compromised PCs.

The Andromeda botnet, also known as Gamarue, is thought to have spanned over two million PCs and distributed over 80 types of malware onto infected PCs. It was shut down on November 29 in a combined operation by Europol, the FBI, security vendor ESET and Microsoft.

A suspect thought to be associated with the botnet was arrested in Belarus.

"This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale," said Steven Wilson, the Head of Europol's European Cybercrime Centre.

"The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us."

The Andromeda takedown was made possible by last year's operations to close the Avalanche botnet. During that effort German police found important information about Andromeda on one of the computers seized during the anti-Avalanche operation and passed the details on to Europol.

Online criminals iced as cops bury malware-spewing Avalanche

Traffic from Andromeda-infected PCs has now been disrupted, with the authorities taking control of 1,500 malicious domains employed by the malware. Microsoft noted that these domains were contacted by over two million IP addresses in 223 counties and municipalities.

The Andromeda malware first appeared in September 2011 and was detected and blocked on over a million PCs last month. The code's primary purpose was to harvest credentials but the malware's highly modular design allowed operators to add in their own custom modules for things like web page content theft or spam campaigns.

Researchers at Microsoft and ESET spent 18 months following the Wauchos malware used to build the botnet to identify its command and control mechanisms. They then moved, with police help, to take control of the domains used to control the botnet and hopefully it won't be restarted.

"In the past, Wauchos has been the most detected malware family amongst ESET users, so when we were approached by Microsoft to take part in a joint disruption effort against it, to better protect our users and the general public at large, it was a no-brainer to agree," said Jean-Ian Boutin, senior malware researcher at ESET.

"This particular threat has been around for several years now and it is constantly reinventing itself – which can make it hard to monitor. But by using ESET Threat Intelligence and by working collaboratively with Microsoft researchers, we have been able to keep track of changes in the malware's behavior and consequently provide actionable data which has proven invaluable in these takedown efforts." ®